Forum Discussion
NimbostratusTLS1
NimbostratusThat's what I'm saying though.
ours has NO_TLSv1.3 so that should block 1 and 1.1 but our pen test says 1 and 1.1 is open
Cumulonimbusyeah i think i made a mistake as the cypher profile overrides some of that config and made it work.
no tls1.3 will not enable it, the config is a bit backwards. "enable" NO TLS for example is a positive then a negative.
So if you want tls 1.3 then you need to take that out of enable options.
This issue i thnk i had, is that enable options needs something in there to work.
Have you got a test environment you could look at and test before you do this to see what happens.
- j_hardin80
yes, let's say we DO NOT want TLS 1, 1.1, 1.2 and 1.3 for this sake, our config has "enabled" NO_TLSv1.3 so that should block 1.3, 1.2, 1.1, and 1 correct?
BUT, if that is the case then I'm not sure where the TLS 1 and 1.1 is showing for the pen test as it shows 1 and 1.1 is active so therefore the above isn't working by blocking all the TLS version.
- PSFletchTheTek
No, that's the bit i think i've got wrong. Because the cypher profile works slightly different.
NO TLS 1.3 is still letting in SSL, TLS 1 1.1 1.2 etc but Not 1.3
NB - TLS 1, 1.1, 1.2 and 1.3 would block ALL TLS. and NO TLS also blocks all.
You would then be left with just ssl! - j_hardin80
Ohhh ok, so that may be my issue then, I just need to remove 1.3 and add 1 and 1.1 in there.
I'll try that! thank you so much for clarfiying that for me
